2025-01-15 18:19:03 +01:00
|
|
|
{pkgs, ...}: {
|
|
|
|
|
services.postgresql = {
|
|
|
|
|
enable = true;
|
|
|
|
|
enableTCPIP = true;
|
2025-05-12 16:06:40 +02:00
|
|
|
package = pkgs.postgresql_17;
|
|
|
|
|
extensions = with pkgs.postgresql17Packages; [
|
|
|
|
|
pgvector
|
|
|
|
|
];
|
2025-01-15 18:19:03 +01:00
|
|
|
authentication = pkgs.lib.mkOverride 10 ''
|
2025-05-12 16:06:40 +02:00
|
|
|
# Local connections (Unix socket)
|
|
|
|
|
local all postgres peer
|
|
|
|
|
local paperless paperless scram-sha-256
|
|
|
|
|
|
|
|
|
|
# Localhost connections (IPv4 and IPv6)
|
|
|
|
|
host all postgres 127.0.0.1/32 scram-sha-256
|
|
|
|
|
host all postgres ::1/128 scram-sha-256
|
|
|
|
|
host paperless paperless 127.0.0.1/32 scram-sha-256
|
|
|
|
|
host paperless paperless ::1/128 scram-sha-256
|
|
|
|
|
|
|
|
|
|
# Podman network connections for Baserow
|
|
|
|
|
host baserow baserow 10.89.0.0/24 scram-sha-256
|
|
|
|
|
|
|
|
|
|
# Deny all other connections
|
|
|
|
|
local all all reject
|
|
|
|
|
host all all 0.0.0.0/0 reject
|
|
|
|
|
host all all ::/0 reject
|
2025-01-15 18:19:03 +01:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
services.postgresqlBackup = {
|
|
|
|
|
enable = true;
|
|
|
|
|
startAt = "03:10:00";
|
2025-05-12 16:06:40 +02:00
|
|
|
databases = ["baserow" "paperless"];
|
|
|
|
|
};
|
|
|
|
|
networking.firewall = {
|
|
|
|
|
extraCommands = ''
|
|
|
|
|
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
|
|
|
|
|
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
|
|
|
|
|
'';
|
2025-01-15 18:19:03 +01:00
|
|
|
};
|
|
|
|
|
}
|
